[go: up one dir, main page]

WO2015108536A1 - Mappage de groupes de locataires à des classes de gestion d'identité - Google Patents

Mappage de groupes de locataires à des classes de gestion d'identité Download PDF

Info

Publication number
WO2015108536A1
WO2015108536A1 PCT/US2014/012174 US2014012174W WO2015108536A1 WO 2015108536 A1 WO2015108536 A1 WO 2015108536A1 US 2014012174 W US2014012174 W US 2014012174W WO 2015108536 A1 WO2015108536 A1 WO 2015108536A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity management
delegation
groups
classes
mapping
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2014/012174
Other languages
English (en)
Inventor
Michael Bernd BEITER
Randall Edward Grohs
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to US15/112,371 priority Critical patent/US10372483B2/en
Priority to PCT/US2014/012174 priority patent/WO2015108536A1/fr
Publication of WO2015108536A1 publication Critical patent/WO2015108536A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register

Definitions

  • a cloud system includes resources or services that can be shared by customers of a provider of the cloud system.
  • Resources can include processing resources, storage resources, communication resources, and so forth.
  • Services can be provided by applications or other machine-executable instructions.
  • the cloud system allows its resources or services to be accessed by customers on-demand.
  • Fig. 1 is a block diagram of an example cloud arrangement including a cloud system and tenants that are able to access the resources or services of the cloud system, in accordance with some implementations.
  • FIGs. 2 and 3 are schematic diagrams of mappings between tenant groups and identity management classes, according to various implementations.
  • FIGs. 4 and 5 are schematic diagrams of hierarchical delegation
  • Fig. 6 is a flow diagram of a cloud system process, according to some implementations.
  • FIGs. 7-9 are schematic diagrams of example mappings between tenant groups and identity management classes, according to various implementations.
  • Fig. 10 is a block diagram of an example cloud system according to some implementations. Detailed Description
  • the infrastructure of a cloud system can be owned by or managed by a provider, which can be an entity such as a business concern, government agency, educational organization, or individual.
  • the infrastructure of the cloud system can be located at a particular geographic site, or can be distributed across multiple geographic sites.
  • the infrastructure includes cloud resources and cloud services that are made available to customers of the cloud system provider.
  • customers which are also referred to as tenants, can be located anywhere, so long as they are able to access the cloud system over a network.
  • a tenant can refer to any collection of users, such as users who are members of a business concern, a government agency, or an educational organization.
  • Cloud resources can include any one or some combination of the following: processing resources (which can include processors of one or multiple computers), storage resources (which can include storage devices such as disk- based storage devices or solid state storage devices), communication resources (which can include communication devices to allow communications by users, where examples of communication devices can include routers, switches, communication establishment servers, etc.), and other resources.
  • processing resources which can include processors of one or multiple computers
  • storage resources which can include storage devices such as disk- based storage devices or solid state storage devices
  • communication resources which can include communication devices to allow communications by users, where examples of communication devices can include routers, switches, communication establishment servers, etc.
  • the cloud system can also provide cloud services, such as web services, that can be invoked by users of tenants of the cloud system.
  • cloud services such as web services
  • a user of a tenant can refer to a machine or a human.
  • a cloud service refers to a functionality that can be invoked by a tenant. The functionality can be provided by machine-readable instructions.
  • a web service refers to a service that is accessible over a network, such as the Internet.
  • a cloud system can include an identity management system that stores information to enable authentication of users attempting to access the cloud system, and authorization of access to requested resources or services of the cloud system. Other entities can interact with the identity management system to perform the authorization and authentication.
  • the identity management system can define privileges relating to the access of the resources and services of the cloud system.
  • a privilege can refer to the permission of a given user to perform a task with respect to the cloud system (or more specifically, with respect to an application in the cloud system), which can involve accessing a resource or service of the cloud system.
  • An application can refer to machine-readable instructions executable in the cloud system for managing access to a cloud resource and/or providing a cloud service.
  • the identity management system also provides privileges associated with the ability to create, read, update, or delete profile information of users.
  • the profile information of a user maintained by the identity management system can include various types of user data, including a user's name, email address, login name (for logging into the cloud system), one or multiple authentication credentials that allow a user to access the cloud system (examples of an authentication credential can include a password, biometric information of the user, a secure key, and so forth), and so forth.
  • the profile information of a user can include a public portion (which is known to other users) and a private portion (which is known only to the user and possibly an administrator).
  • the public portion of the profile information can include the name of the user that is publically displayed, the user's email address, and so forth.
  • Examples of the private information of the user can include a login name, authentication credential, and so forth.
  • a "multi-tenant" identity management system is an identity management system that is able to perform identity management for multiple tenants, such as multiple tenants of a cloud system.
  • a tenant can also be associated with an identity management system.
  • the users of a tenant can be divided into multiple groups.
  • a group can refer to a set of users that can be identified by a unique name. Groups can be used for various purposes.
  • the groups can be part of an organizational structure, which can
  • departments can include an engineering department, a sales department, a finance department, an executive management department, and so forth.
  • Groups can also be used in distribution lists for performing communications among users of the tenant.
  • the distribution lists can include email distribution lists, which can allow a user to send an email to all members of a specific department or organizational unit.
  • the identity management system of a tenant can perform authorization based on the groups of the tenant. For example, an authorization can specify that access to a specific resource is to be given to members of a specific group.
  • Authorization can include role-based authorization (RBAC).
  • RBAC role-based authorization
  • a user can be assigned a specific role (e.g. the role of a user, the role of an
  • one criterion can be group membership.
  • administrator group (group of users who are administrators in the tenant) can be assigned a ROLE_ADMIN role.
  • a user who is part of a user group can be assigned a ROLE_USER role.
  • Different roles are associated with different privileges.
  • mapping the groups of the tenant to identity management classes (which correspond to respective roles) provided by the cloud system 100 can be relatively simple.
  • An identity management class can refer to a class (provided by the identity management system of the cloud system) that is associated with a respective set of permissions with respect to access of the resources and/or services of the cloud system. As discussed further below, an identity management class can refer to a "system group" or to a role.
  • a first tenant may include an administrator group that should be granted an elevated set of privileges than members of a different group, such as a user group.
  • a second tenant may specify that a group referred to as an administrator group should not be granted the elevated set of privileges, since the second tenant may include another super-administrator group that is the group that should be granted the elevated set of privileges.
  • the administrator group of the first tenant should not be mapped to the same identity management class as the administrator group of the second tenant, as doing so may lead to privilege escalation for members of the administrator group of the second tenant.
  • Privilege escalation refers to granting privileges to members of a particular group that are greater than what such members are entitled to.
  • a cloud system 100 includes an identity management engine 102 that provides a mapping 104 of tenant groups (groups of various tenants 106) to identity management classes of the cloud system 100.
  • the identity management engine 102 can use RBAC to specify an authorization schema for users, in which users are granted permissions based on roles assigned to the users. Each role is associated with a respective set of one or multiple privileges with respect to access of resources and/or services of the cloud system 100.
  • the identity management engine 102 also maintains profile information for various users, such as users of the tenants 106.
  • the mapping 104 can map tenant groups to one of two different types of identity management classes.
  • Fig. 2 shows a mapping 104 between tenant groups and system groups
  • Fig. 3 shows a mapping 104 between tenant groups and roles.
  • the cloud system 100 includes hierarchical delegation information 108 that specifies delegation rights among the identity management classes.
  • a delegation right specifies a right of a member of a given identity management class to perform delegation with respect to a particular one of the identity management classes.
  • Performing delegation with respect to a particular identity management class can include any one or some combination of the following: enrolling a new member in the particular identity management class, modifying information of a member in the particular identity management class, or removing a member from the identity management class.
  • the hierarchical delegation information 108 describes the identity management class that a member has to be part of in order to perform delegation with respect to a particular identity management class.
  • the cloud system 100 includes a delegation engine 1 10 that is able to use the mapping 104 and the hierarchical delegation information 108 to determine whether or not a first member of a first of the identity management classes is allowed to perform delegation with respect to a second member in one of the identity management classes, in response to a request by the first member to perform the delegation with respect to the second member in one of the identity management classes.
  • the delegation engine 1 10 is able to prevent a tenant group from being translated into an identity
  • Each of the engines (including 102 and 1 10, for example) of the cloud system 100 may be any combination of hardware and programming to implement the functionalities of the respective engine.
  • Such combinations of hardware and programming may be implemented in a number of different ways.
  • the programming for an engine may include executable instructions stored on a non- transitory machine-readable storage medium and the hardware for the engine may include processor(s) to execute those instructions.
  • the machine- readable storage medium may store instructions that, when executed by the processor(s), implement functionalities of the engine.
  • the machine-readable storage medium storing the instructions may be integrated in a computing device including the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to the computing device and the processing resource.
  • the processing resource may include one processor or multiple processors included in a single computing device or distributed across multiple computing devices.
  • the functionalities of any of the engines may be implemented in the form of electronic circuitry.
  • the cloud system 100 also includes one or multiple applications 1 12 that manage access to cloud service(s) 1 14 and cloud resource(s) 1 16.
  • the cloud service(s) 1 14 and cloud resource(s) can be accessed on demand by the tenants 106, by accessing the application(s) 1 12.
  • Fig. 2 illustrates an example of the mapping 104 of Fig. 1 .
  • the tenant groups correspond to the various groups of the tenants 106 shown in Fig. 1 .
  • the tenant groups 202-1 to 202-n are mapped to various system groups 204-1 , 204-2, 204- m.
  • the system groups 204-1 , 204-2, 204-m are the identity management classes noted above.
  • the tenant groups are not mapped directly to the roles of the authorization schema used in the cloud system 100. Rather, the tenant groups are mapped to system groups that abstract the roles of the authorization schema of the cloud system 100.
  • Fig. 2 further shows a mapping between the system groups 204-1 to 204-m to various roles, including roles 206-1 , 206-2, 206-p.
  • the mapping between the tenant groups and the system groups is an n:m mapping, which indicates that a specific tenant group can map to one or multiple system groups, and that a specific system group can map to one or multiple tenant groups.
  • the mapping between the system groups and the roles is an m:p mapping, which also indicates that a specific system group can map to one or multiple roles, and a specific role can map to one or multiple system groups.
  • the mapping between the tenant groups 202-1 to 202-n to the system groups 204-1 to 204-m can be managed by the identity management engine 102 of Fig. 1 .
  • the mapping between the system groups 204-1 to 204-m and the roles 206- 1 to 206-p can be managed by the application 1 12 of the cloud system 100.
  • the mapping between the tenant groups and the system groups can be a dynamic mapping, which can be dynamically changed by specific users of the tenants 106 or the cloud system 100.
  • users of a tenant that can modify the mapping 104 can be a tenant administrator.
  • mapping between the system groups and the roles that is managed by the application 1 12 is a relatively static mapping, where changes occur less frequently.
  • the mapping between system groups and roles can change when the application 1 12 itself changes, such as when a new role is being
  • a new role can be mapped to a new system group, or the new role can be mapped to an existing system group.
  • FIG. 3 illustrates the mapping 104 according to alternative
  • the tenant groups 202-1 , 202-2, 202-n are mapped to respective roles 206-1 , 206-2, 206-p.
  • the mapping is an n ⁇ p mapping that allows a specific tenant group to be mapped to one or multiple roles, or that allows a specific role to be mapped to one or multiple tenant groups.
  • the roles 206-1 to 206-p are the identity management classes.
  • a user in the example of Fig. 2 or 3, it is possible for a user to be assigned to multiple identity management classes. Note that the multiple identity management classes are delegated separately and independently, in some implementations. By performing the delegation of the multiple identity management classes separately and independently, the permissions associated with the multiple identity
  • management classes are not combined to achieve a higher level of privilege, which would lead to privilege escalation.
  • Figs. 2 and 3 the roles of one application 1 12 are shown. Note that it is possible for the cloud system 100 to include multiple applications, where each application can be associated with a respective set of roles. For example, the set of roles associated with a first application can be different from the set of roles associated with a second application. In such examples, the mapping 104 can be modified to map tenant groups to the different sets of roles, either directly (such as shown in Fig. 3) or indirectly through system groups (such as shown in Fig. 2). [0034] Fig. 4 shows an example of the hierarchical delegation information 108 of Fig. 1 . The hierarchical delegation information 108 of Fig. 4 can be used with the mapping 104 of Fig. 2.
  • FIG. 4 Various example system groups are depicted in Fig. 4, including a
  • a member of the SUPERUSERS system group can perform delegation with respect to a member of the USERS system group.
  • a member of the SUPERUSERS system group can enroll a new member in the USERS system group.
  • a member of the SUPERUSERS group can remove a member from the USERS system group.
  • Another arrow 404 indicates that a member of the SUPERUSERS system group can perform delegation with respect to a member of the same SUPERUSERS system group.
  • the hierarchical delegation information 108 of Fig. 4 also indicates that a member of the TENANT_ADMINS system group can perform delegation with respect to a member of any of the USERS system group, the SUPERUSERS system group, or the BACKUP_OPERATOR system group. However, a member of the
  • TENANT_ADMINS system group is unable to perform delegation with respect to a member of the TENANT_ADMINS system group.
  • a member of the ADMIN system group can perform delegation with respect to a member of the
  • the hierarchical delegation information 108 specifies a delegation hierarchy among different roles, including a ROLE USER role, a ROLE_SUPERUSER role, a
  • ROLE TENANT ADMIN role and a ROLE_ADMIN role.
  • the delegation hierarchy among different roles shown in Fig. 5 is interpreted in similar fashion as the delegation hierarchy amongst the different system groups of Fig. 4.
  • a member assigned the ROLE_SUPERUSER role can perform delegation with respect to a member assigned the ROLEJJSER role.
  • Fig. 4 delegation cannot be performed with respect to the ADMIN system group.
  • Fig. 5 delegation cannot be performed with respect to the ROLE_ADMIN role.
  • one or multiple specific administrators can be identified to allow for performance of delegation with respect to the ADMIN system group or ROLE_ADMIN role.
  • the hierarchical delegation information 108 can be modified to specify that a member of the ADMIN system group (Fig. 4) or a member assigned the ROLE_ADMIN role (Fig. 5) can perform delegation with respect to the ADMIN system group or ROLE_ADMIN role, respectively.
  • the hierarchical delegation information 108 can be part of the information that describes the respective identity management classes, such as the system groups or roles discussed above. In such examples, the information describing the identity management classes is extended with the hierarchical delegation information 108. In other examples, the hierarchical delegation information 108 can be separate from the information that describes the identity management classes.
  • Fig. 6 is a flow diagram of a cloud system process according to some implementations.
  • the cloud system process of Fig. 6 can be performed by entities of the cloud system 100, including the identity management engine 102 and delegation engine 1 10.
  • the identity management engine 102 maps (at 602), using the mapping 104 of Fig. 1 , groups of multiple tenants 106 to identity management classes corresponding to respective roles that grant respective authorizations for performing tasks with respect to at least one application (e.g. application 1 12 in Fig. 1 ).
  • the identity management classes can include the system groups of Fig. 2 or the roles of Fig. 3.
  • the identity management classes are associated with hierarchical delegation information 108, such as according to the example of Figs. 4 or 5.
  • the delegation engine 1 10 determines (at 604), based on the hierarchical delegation information 108, whether the first member is allowed to perform the delegation with respect to the second member.
  • Fig. 7 illustrates an example mapping between tenant groups and system groups, in accordance with some implementations.
  • the tenant groups shown in Fig. 7 are part of the system groups depicted in the hierarchical delegation information 108 of Fig. 4.
  • the tenant groups are groups of a particular tenant, referred to as "CUSTOMER A" in Fig. 7.
  • the tenant groups of CUSTOMER A include a USERS tenant group and an ADMINS tenant group.
  • the USERS tenant group is mapped to the USERS system group, while the ADMINS tenant group is mapped to each of the following system groups:
  • a member of the ADMINS tenant group can perform delegation with respect to a member of any of the following system groups: SUPERUERS, B AC KU P_O P E RATO R , USERS.
  • a member of the ADMINS tenant group is unable to perform delegation with respect to a member of the TENANT_ADMINS system group.
  • a member of the ADMINS tenant group has all the privileges that come with the following system groups: SUPERUSERS, TENANT_ADMINS, and B AC KU P_O P E RATO R .
  • Fig. 8 shows an example mapping between tenant groups of another tenant (CUSTOMER B) and the system groups included in the hierarchical delegation information 108 of Fig. 4.
  • the tenant groups associated with CUSTOMER B include USERS, SUPERUSERS, and ADMINS.
  • the USERS tenant group is mapped to the USERS system group.
  • the SUPERUSERS tenant group is mapped to the SUPERUSERS system group.
  • the ADMINS tenant group is mapped to the following system groups: TENANT_ADMINS and
  • a member of the USERS tenant group cannot perform delegation with respect to a member of any of the system groups depicted in Fig. 4. However, a member of the USERS tenant group has all privileges that come with the USERS system group.
  • a member of the SUPERUSERS tenant group can perform delegation with respect to a member of the following system groups: SUPERUSERS and USERS. However, a member of the SUPERUSERS tenant group cannot perform delegation with respect to the following system groups: TENANT_ADMINS and B AC K U P_O P E RATO R . However, a member of the SUPERUSERS tenant group has all privileges that come with the SUPERUSERS system group.
  • a member of the ADMINS tenant group can perform delegation with respect to the following system groups:
  • a member of the ADMINS tenant group cannot perform delegation with respect to a member of the TENANT_ADMINS system group.
  • a member of the ADMINS tenant group has all privileges that come with the following system groups: TENANT_ADMINS and B AC KU P_O P E RATO R .
  • Fig. 9 shows an example mapping between tenant groups and system groups and between system groups and roles of multiple applications:
  • the cloud system 100 has multiple applications, where each of the applications can be associated with a respective set of roles (which may be different from one another). The different roles associated with the different applications provide different permissions to respective users regarding access of resources associated with the different applications.
  • Two tenants are shown in the example of Fig. 9, including COMPANY 1 and COMPANY 2.
  • COMPANY 1 has one tenant group: SUPERUSERS.
  • COMPANY 2 has two tenant groups: IT DEPT and IDF_ADMINS.
  • the SUPERUSERS tenant group of COMPANY 1 is mapped to the SUPERUSERS system group.
  • the IT DEPT and IDF_ADMINS tenant groups of COMPANY 2 are both mapped to the SUPERUSERS system group.
  • the IT DEPT and IDF_ADMINS tenant groups of COMPANY 2 are also mapped to the TENANT_ADMINS system group.
  • the SUPERUSERS system group is mapped to the following roles of APPLICATION 1 : ROLE_THEME_ADMINS and ROLE_PDL_ADMIN.
  • the SUPERUSERS system group is mapped to the following role of APPLICATION 2: ROLE BACKUP MGR.
  • a hierarchical, restricted delegation that specifies delegation rights can be provided for a mapping between tenant groups and identity management classes.
  • arbitrary tenant groups which can be associated with multiple tenants, can be mapped to well-defined identity management classes that are related to permissions, while preventing a tenant group from being translated into an identity management class that is higher than what the tenant group is entitled to.
  • Fig. 10 is a block diagram of an example cloud system 100 that includes one or multiple computers 1002, according to some implementations.
  • Each computer 1002 includes one or multiple processors 1004, which can be connected to a network interface 1006 to allow the computer 1002 to communicate over a data network.
  • the processor(s) 1004 can be coupled to a non-transitory machine- readable storage medium (or storage media) 1008, which can store instructions and other information.
  • the instructions can include machine-readable instructions 1010, which can include identity management instructions 1012 (that are part of the identity management engine 102 of Fig. 1 ) and delegation instructions 1014 (that are part of the delegation engine 1 10 of Fig. 1 ).
  • the machine-readable instructions 1010 are executable on the processor(s) 1004.
  • a processor can include a microprocessor, microcontroller, processor module or subsystem, programmable integrated circuit, programmable gate array, or another control or computing device.
  • the storage medium (or storage media) 1008 can also store the mapping 104 and hierarchical delegation information 108 discussed above.
  • the storage medium (or storage media) 1008 can also store application instructions 1016, which can correspond to the application(s) 1 12 depicted in Fig. 1 .
  • a "machine-readable storage medium” may be any electronic, magnetic, optical, or other physical storage apparatus to contain or store information such as executable instructions, data, and the like.
  • any machine-readable storage medium described herein may include any of various forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable readonly memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage devices.
  • DRAMs or SRAMs dynamic or static random access memories
  • EPROMs erasable and programmable readonly memories
  • EEPROMs electrically erasable and programmable read-only memories
  • flash memories magnetic disks such as fixed, floppy and removable disks
  • other magnetic media including tape optical media such as compact disks (CD
  • the instructions discussed above can be provided on one computer- readable or machine-readable storage medium, or alternatively, can be provided on multiple computer-readable or machine-readable storage media distributed in a large system having possibly plural nodes.
  • Such computer-readable or machine-readable storage medium or media is (are) considered to be part of an article (or article of manufacture).
  • An article or article of manufacture can refer to any manufactured single component or multiple components.
  • the storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Selon l'invention, des groupes d'une pluralité de locataires sont mappés à des classes de gestion d'identité correspondant à des rôles respectifs qui accordent des autorisations respectives. Les classes de gestion d'identité sont associées à des informations de délégation hiérarchique qui spécifient des droits de délégation parmi les classes de gestion d'identité, les droits de délégation spécifiant des droits de membres des classes de gestion d'identité respectives pour réaliser une délégation par rapport à d'autres membres des classes de gestion d'identité. En réponse à une requête par un premier membre d'une première classe de gestion d'identité parmi les classes de gestion d'identité pour réaliser une délégation par rapport à un second membre de l'une des classes de gestion d'identité, il est déterminé, sur la base des informations de délégation hiérarchique, si le premier membre est ou non autorisé à réaliser la délégation par rapport au second membre.
PCT/US2014/012174 2014-01-20 2014-01-20 Mappage de groupes de locataires à des classes de gestion d'identité Ceased WO2015108536A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/112,371 US10372483B2 (en) 2014-01-20 2014-01-20 Mapping tenat groups to identity management classes
PCT/US2014/012174 WO2015108536A1 (fr) 2014-01-20 2014-01-20 Mappage de groupes de locataires à des classes de gestion d'identité

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/012174 WO2015108536A1 (fr) 2014-01-20 2014-01-20 Mappage de groupes de locataires à des classes de gestion d'identité

Publications (1)

Publication Number Publication Date
WO2015108536A1 true WO2015108536A1 (fr) 2015-07-23

Family

ID=53543294

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/012174 Ceased WO2015108536A1 (fr) 2014-01-20 2014-01-20 Mappage de groupes de locataires à des classes de gestion d'identité

Country Status (2)

Country Link
US (1) US10372483B2 (fr)
WO (1) WO2015108536A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10156842B2 (en) 2015-12-31 2018-12-18 General Electric Company Device enrollment in a cloud service using an authenticated application
US10218703B2 (en) 2014-01-20 2019-02-26 Hewlett-Packard Development Company, L.P. Determining a permission of a first tenant with respect to a second tenant
EP3588356A1 (fr) * 2018-06-29 2020-01-01 Accenture Global Solutions Limited Gestion d'identité et d'accès entre des applications

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2931750C (fr) * 2014-02-07 2023-03-07 Oracle International Corporation Environnement d'execution personnalise de services informatiques en nuage
US11223613B2 (en) * 2014-05-02 2022-01-11 Cloudblue Llc Methods and systems for roles and membership management in a multi-tenant cloud environment
US10706166B1 (en) * 2017-03-30 2020-07-07 Amazon Technologies, Inc. Application specific schema extensions for a hierarchical data structure
US10764299B2 (en) * 2017-06-29 2020-09-01 Microsoft Technology Licensing, Llc Access control manager
US10754932B2 (en) * 2017-06-29 2020-08-25 Sap Se Centralized consent management
US10958659B2 (en) * 2017-08-30 2021-03-23 Red Hat, Inc. Setting application permissions in a cloud computing environment
US12182841B2 (en) 2018-06-15 2024-12-31 Paypal, Inc. Multi-tenant dispute services
US11336453B2 (en) 2018-06-15 2022-05-17 Paypal, Inc. Transactions between services in a multi-tenant architecture
US11030329B2 (en) 2018-06-15 2021-06-08 Paypal, Inc. Unified identity services for multi-tenant architectures
US11470166B2 (en) * 2018-06-15 2022-10-11 Paypal, Inc. Multi-tenant marketplace architectures
US11113675B2 (en) 2018-06-15 2021-09-07 Paypal, Inc. Unified transaction services for multi-tenant architectures
US11032287B1 (en) * 2018-07-02 2021-06-08 Amazon Technologies, Inc. Delegated administrator with defined permission boundaries in a permission boundary policy attachment for web services and resources
JP7412405B2 (ja) * 2021-12-23 2024-01-12 株式会社日立製作所 情報処理システム、情報処理方法
US20250294030A1 (en) * 2022-12-09 2025-09-18 Rakuten Symphony, Inc. Managing Tenant Users in Coordination with Identity Provider

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231899A1 (en) * 2009-06-19 2011-09-22 ServiceMesh Corporation System and method for a cloud computing abstraction layer
US20120151568A1 (en) * 2010-12-13 2012-06-14 International Business Machines Corporation Method and system for authenticating a rich client to a web or cloud application
US20120179646A1 (en) * 2011-01-12 2012-07-12 International Business Machines Corporation Multi-tenant audit awareness in support of cloud environments
US20130185431A1 (en) * 2012-01-12 2013-07-18 Hcl Technologies Limited Uniform Definition, Provision, and Access of Software Services on the Cloud

Family Cites Families (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6397125B1 (en) 1998-12-18 2002-05-28 International Business Machines Corporation Method of and apparatus for performing design synchronization in a computer system
US8161081B2 (en) 2001-03-16 2012-04-17 Michael Philip Kaufman System and method for generating automatic user interface for arbitrarily complex or large databases
WO2003098466A1 (fr) 2002-05-14 2003-11-27 Verity, Inc. Appareil et procede de classement par importance de document a region sensible configurable de facon dynamique
US7546633B2 (en) * 2002-10-25 2009-06-09 Microsoft Corporation Role-based authorization management framework
US7343628B2 (en) 2003-05-28 2008-03-11 Sap Ag Authorization data model
US7630974B2 (en) 2004-09-28 2009-12-08 Oracle International Corporation Multi-language support for enterprise identity and access management
US7996883B2 (en) 2004-12-09 2011-08-09 International Business Machines Corporation Centralized identity management for delegating resource management in a technology outsourcing environment
US7571473B1 (en) * 2005-06-10 2009-08-04 Sprint Communications Company L.P. Identity management system and method
US8997246B2 (en) * 2005-10-04 2015-03-31 Disney Enterprises, Inc. System and/or method for authentication and/or authorization via a network
US8447829B1 (en) * 2006-02-10 2013-05-21 Amazon Technologies, Inc. System and method for controlling access to web services resources
US9177124B2 (en) 2006-03-01 2015-11-03 Oracle International Corporation Flexible authentication framework
US9262545B2 (en) 2007-01-22 2016-02-16 Syracuse University Distributed video content management and sharing system
CA2733364A1 (fr) 2007-08-02 2009-02-05 Fugen Solutions, Inc. Procede et appareil de certification et d'interoperabilite d'identite multi-domaine
US20090076865A1 (en) * 2007-09-17 2009-03-19 Rousselle Philip J Methods to provision, audit and remediate business and it roles of a user
US8132231B2 (en) * 2007-12-06 2012-03-06 International Business Machines Corporation Managing user access entitlements to information technology resources
US8850041B2 (en) * 2009-05-26 2014-09-30 Microsoft Corporation Role based delegated administration model
US8843648B2 (en) * 2009-05-26 2014-09-23 Microsoft Corporation External access and partner delegation
US8555055B2 (en) * 2009-06-02 2013-10-08 Microsoft Corporation Delegation model for role-based access control administration
US20100325684A1 (en) * 2009-06-17 2010-12-23 Microsoft Corporation Role-based security for messaging administration and management
US8468345B2 (en) 2009-11-16 2013-06-18 Microsoft Corporation Containerless data for trustworthy computing and data services
US20110126197A1 (en) 2009-11-25 2011-05-26 Novell, Inc. System and method for controlling cloud and virtualized data centers in an intelligent workload management system
US8458191B2 (en) 2010-03-15 2013-06-04 International Business Machines Corporation Method and system to store RDF data in a relational store
EP2583211B1 (fr) 2010-06-15 2020-04-15 Oracle International Corporation Infrastructure informatique virtuelle
US8782748B2 (en) * 2010-06-22 2014-07-15 Microsoft Corporation Online service access controls using scale out directory features
EP2458548A1 (fr) 2010-11-30 2012-05-30 France Telecom Système et procédé pour la mise en ýuvre de règles dynamiques de contrôle d'accès à des informations personnelles dématérialisées
US8763010B2 (en) 2010-12-07 2014-06-24 Nec Laboratories America, Inc. System and method for gathering context parameters to determine a mobile user context
US8793286B2 (en) * 2010-12-09 2014-07-29 International Business Machines Corporation Hierarchical multi-tenancy management of system resources in resource groups
US9430291B2 (en) 2010-12-30 2016-08-30 International Business Machines Corporation Distributed topology enabler for identity manager
US8510267B2 (en) 2011-03-08 2013-08-13 Rackspace Us, Inc. Synchronization of structured information repositories
US8869244B1 (en) * 2011-05-03 2014-10-21 Symantec Corporation Techniques for providing role-based access control using dynamic shared accounts
US8806568B2 (en) 2011-07-11 2014-08-12 International Business Machines Corporation Automatic generation of user account policies based on configuration management database information
US8533231B2 (en) 2011-08-12 2013-09-10 Nexenta Systems, Inc. Cloud storage system with distributed metadata
US10044713B2 (en) 2011-08-19 2018-08-07 Interdigital Patent Holdings, Inc. OpenID/local openID security
US8789157B2 (en) * 2011-09-06 2014-07-22 Ebay Inc. Hybrid cloud identity mapping infrastructure
US10885179B2 (en) 2011-10-05 2021-01-05 Salesforce.Com, Inc. Just-in-time user provisioning framework in a multitenant environment
CN103136055B (zh) 2011-11-25 2016-08-03 国际商业机器公司 用于在数据库服务中控制对计算资源的使用的方法和装置
US9256840B2 (en) 2011-12-01 2016-02-09 Sap Se Establishing business networks using a shared platform
US9009319B2 (en) 2012-01-18 2015-04-14 Rackspace Us, Inc. Optimizing allocation of on-demand resources using performance
US9058198B2 (en) 2012-02-29 2015-06-16 Red Hat Inc. System resource sharing in a multi-tenant platform-as-a-service environment in a cloud computing system
US9832156B2 (en) * 2012-03-23 2017-11-28 Salesforce.Com, Inc. Social networking system communities and associated user privileges implemented using a database system
US9053117B2 (en) 2012-04-11 2015-06-09 4Clicks Solutions, LLC Storing application data with a unique ID
US9838370B2 (en) * 2012-09-07 2017-12-05 Oracle International Corporation Business attribute driven sizing algorithms
US9069979B2 (en) * 2012-09-07 2015-06-30 Oracle International Corporation LDAP-based multi-tenant in-cloud identity management system
US20140181992A1 (en) * 2012-12-21 2014-06-26 Michael Alexander Janson Multi-tenant content provider
US9454592B2 (en) * 2013-03-15 2016-09-27 International Business Machines Corporation Managing, importing, and exporting teamspace templates and teamspaces in content repositories
US9195841B2 (en) * 2013-03-15 2015-11-24 Sap Se Automated and delegated model-based row level security
JP6141076B2 (ja) * 2013-04-04 2017-06-07 キヤノン株式会社 システムおよびその制御方法、アクセス管理サービスシステムおよびその制御方法、並びにプログラム

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231899A1 (en) * 2009-06-19 2011-09-22 ServiceMesh Corporation System and method for a cloud computing abstraction layer
US20120151568A1 (en) * 2010-12-13 2012-06-14 International Business Machines Corporation Method and system for authenticating a rich client to a web or cloud application
US20120179646A1 (en) * 2011-01-12 2012-07-12 International Business Machines Corporation Multi-tenant audit awareness in support of cloud environments
US20130185431A1 (en) * 2012-01-12 2013-07-18 Hcl Technologies Limited Uniform Definition, Provision, and Access of Software Services on the Cloud

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10218703B2 (en) 2014-01-20 2019-02-26 Hewlett-Packard Development Company, L.P. Determining a permission of a first tenant with respect to a second tenant
US10156842B2 (en) 2015-12-31 2018-12-18 General Electric Company Device enrollment in a cloud service using an authenticated application
US10156841B2 (en) 2015-12-31 2018-12-18 General Electric Company Identity management and device enrollment in a cloud service
US10444743B2 (en) 2015-12-31 2019-10-15 General Electric Company Identity management and device enrollment in a cloud service
US10719071B2 (en) 2015-12-31 2020-07-21 General Electric Company Device enrollment in a cloud service using an authenticated application
EP3588356A1 (fr) * 2018-06-29 2020-01-01 Accenture Global Solutions Limited Gestion d'identité et d'accès entre des applications
US10951625B2 (en) 2018-06-29 2021-03-16 Accenture Global Solutions Limited Cross-application identity and access management

Also Published As

Publication number Publication date
US10372483B2 (en) 2019-08-06
US20160335118A1 (en) 2016-11-17

Similar Documents

Publication Publication Date Title
US10372483B2 (en) Mapping tenat groups to identity management classes
US10218703B2 (en) Determining a permission of a first tenant with respect to a second tenant
US11368403B2 (en) Access management tags
US10652235B1 (en) Assigning policies for accessing multiple computing resource services
KR102490422B1 (ko) 멀티테넌트 애플리케이션 서버 환경에서 파티션들을 지원하는 시스템 및 방법
CN109643242B (zh) 用于多租户hadoop集群的安全设计和架构
US10382202B1 (en) Method and apparatus for federated identity and authentication services
CN108259422B (zh) 一种多租户访问控制方法和装置
US20200153870A1 (en) Dynamic authorization in a multi-tenancy environment via tenant policy profiles
US11102196B2 (en) Authenticating API service invocations
US8948399B2 (en) Dynamic key management
US20200067933A1 (en) Directory access sharing across web services accounts
US7702758B2 (en) Method and apparatus for securely deploying and managing applications in a distributed computing infrastructure
CN111159134A (zh) 面向多租户的分布式文件系统安全访问控制方法及系统
US20120131646A1 (en) Role-based access control limited by application and hostname
US11778539B2 (en) Role-based access control system
US12050709B2 (en) Methods and systems for tenancy in a multitenant environment
US20160335338A1 (en) Controlling replication of identity information
CN115001729A (zh) 用户权限管控方法、装置、设备及介质
US9323581B1 (en) Space inheritance
US10708253B2 (en) Identity information including a schemaless portion
US11356438B2 (en) Access management system with a secret isolation manager
US8667140B1 (en) Distinguishing tenants in a multi-tenant cloud environment
Ots Workload Protection–Data
HK40007284B (en) Security design and architecture for a multi-tenant hadoop cluster

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14878934

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15112371

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14878934

Country of ref document: EP

Kind code of ref document: A1